Manage Security Risk - Module 4
Playbook Updates are often made if:
- A failure is identified, such as an oversight in the outlined policies and procedures, or in the playbook itself. - There is a change in industry standards, such as changes in laws or regulatory compliance. - The cybersecurity landscape changes due to evolving threat actor tactics and techniques.
You can use playbooks for:
- Open attacks - Privacy incidents - Data leaks - Denial of service attacks - Service alerts - Others
Which of the following statements accurately describe playbooks? Select three answers.
- Organizations use different types of playbooks for different situations. - A playbook helps security teams respond to urgent situations quickly. - A playbook improves accuracy when identifying and mitigating an incident.
Incident response playbook phases
- Preparation - Detection and analysis - Containment - Eradication and recovery - Post incident activity - Coordination
What does a security team do when updating and improving a playbook? Select all that apply.
- Refine response strategies for future incidents - Consider learnings from past security incidents - Discuss ways to improve security posture
In what ways do SIEM tools and playbooks help security teams respond to an incident? Select all that apply.
- SIEM tools detect threats. - SIEM tools and playbooks work together to provide a structured way of responding to incidents. - SIEM tools alert the security team to potential problems.
Playbook
A manual that provides details about any operational action
security information and event management (SIEM)
An application that collects and analyzes log data to monitor critical activities in an organization
Incident response
An organization's quick attempt to identify an attack, contain the damage, and correct the effects of a security breach
Which action can a security analyst take when they are assessing a SIEM alert?
Analyze log data and related metrics
Which phase of an incident response playbook is primarily concerned with preventing further damage and reducing the immediate impact of a security incident?
Containment
A security analyst wants to ensure an organized response and resolution to a security breach. They share information with key stakeholders based on the organization's established standards. What phase of an incident response playbook does this scenario describe?
Coordination
A business recently experienced a security breach. Security professionals are currently restoring the affected data using a clean backup that was created before the incident. What playbook phase does this scenario describe?
Eradication and recovery
Playbooks are permanent, best-practice documents, so a security team should not make changes to them.
False
In which incident response playbook phase would a security team document an incident to ensure that their organization is better prepared to handle future security events?
Post-incident activity
A security analyst documents procedures to be followed in the event of a security breach. They also establish staffing plans and educate employees. What phase of an incident response playbook does this scenario describe?
Preparation
What is the relationship between SIEM tools and playbooks?
They work together to provide a structured and efficient way of responding to security incidents.
In the event of a security incident, when would it be appropriate to refer to an incident response playbook?
Throughout the entire incident
Fill in the blank: Once a security incident is resolved, security analysts perform various post-incident activities and _____ efforts with the security team.
coordination
Fill in the blank: During the _____ phase, security professionals use tools and strategies to determine whether a breach has occurred and to evaluate its potential magnitude.
detection and analysis
Fill in the blank: Incident response is an organization's quick attempt to _____ an attack, contain the damage, and correct its effects.
identify
SOAR tools
is a piece of software used to automate repetitive tasks generated by tools such as a SIEM or managed detection and response (MDR).
Fill in the blank: During the _____ phase, security teams may conduct a full-scale analysis to determine the root cause of an incident and use what they learn to improve the company's overall security posture.
post-incident activity
